clearOrgPolicy(resource=*, body=None, x__xgafv=None)
Clears a `Policy` from a resource.
getEffectiveOrgPolicy(resource=*, body=None, x__xgafv=None)
Gets the effective `Policy` on a resource. This is the result of merging
getOrgPolicy(resource=*, body=None, x__xgafv=None)
Gets a `Policy` on a resource.
listAvailableOrgPolicyConstraints(resource=*, body=None, x__xgafv=None)
Lists `Constraints` that could be applied on the specified resource.
listAvailableOrgPolicyConstraints_next(previous_request=*, previous_response=*)
Retrieves the next page of results.
listOrgPolicies(resource=*, body=None, x__xgafv=None)
Lists all the `Policies` set for a particular resource.
listOrgPolicies_next(previous_request=*, previous_response=*)
Retrieves the next page of results.
setOrgPolicy(resource=*, body=None, x__xgafv=None)
Updates the specified `Policy` on the resource. Creates a new `Policy` for
clearOrgPolicy(resource=*, body=None, x__xgafv=None)
Clears a `Policy` from a resource.
Args:
resource: string, Name of the resource for the `Policy` to clear. (required)
body: object, The request body.
The object takes the form of:
{ # The request sent to the ClearOrgPolicy method.
"etag": "A String", # The current version, for concurrency control. Not sending an `etag`
# will cause the `Policy` to be cleared blindly.
"constraint": "A String", # Name of the `Constraint` of the `Policy` to clear.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # A generic empty message that you can re-use to avoid defining duplicated
# empty messages in your APIs. A typical example is to use it as the request
# or the response type of an API method. For instance:
#
# service Foo {
# rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
# }
#
# The JSON representation for `Empty` is empty JSON object `{}`.
}
getEffectiveOrgPolicy(resource=*, body=None, x__xgafv=None)
Gets the effective `Policy` on a resource. This is the result of merging
`Policies` in the resource hierarchy. The returned `Policy` will not have
an `etag`set because it is a computed `Policy` across multiple resources.
Subtrees of Resource Manager resource hierarchy with 'under:' prefix will
not be expanded.
Args:
resource: string, The name of the resource to start computing the effective `Policy`. (required)
body: object, The request body.
The object takes the form of:
{ # The request sent to the GetEffectiveOrgPolicy method.
"constraint": "A String", # The name of the `Constraint` to compute the effective `Policy`.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
# for configurations of Cloud Platform resources.
"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
# server, not specified by the caller, and represents the last time a call to
# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
# be ignored.
"version": 42, # Version of the `Policy`. Default version is 0;
"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
# `constraints/serviceuser.services`.
#
# Immutable after creation.
"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
# `Constraint` type.
# `constraint_default` enforcement behavior of the specific `Constraint` at
# this resource.
#
# Suppose that `constraint_default` is set to `ALLOW` for the
# `Constraint` `constraints/serviceuser.services`. Suppose that organization
# foo.com sets a `Policy` at their Organization resource node that restricts
# the allowed service activations to deny all service activations. They
# could then set a `Policy` with the `policy_type` `restore_default` on
# several experimental projects, restoring the `constraint_default`
# enforcement of the `Constraint` for only those projects, allowing those
# projects to have all services activated.
},
"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
# resource.
#
# `ListPolicy` can define specific values and subtrees of Cloud Resource
# Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
# are allowed or denied by setting the `allowed_values` and `denied_values`
# fields. This is achieved by using the `under:` and optional `is:` prefixes.
# The `under:` prefix is used to denote resource subtree values.
# The `is:` prefix is used to denote specific values, and is required only
# if the value contains a ":". Values prefixed with "is:" are treated the
# same as values with no prefix.
# Ancestry subtrees must be in one of the following formats:
# - "projects/<project-id>", e.g. "projects/tokyo-rain-123"
# - "folders/<folder-id>", e.g. "folders/1234"
# - "organizations/<organization-id>", e.g. "organizations/1234"
# The `supports_under` field of the associated `Constraint` defines whether
# ancestry prefixes can be used. You can set `allowed_values` and
# `denied_values` in the same `Policy` if `all_values` is
# `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
# values. If `all_values` is set to either `ALLOW` or `DENY`,
# `allowed_values` and `denied_values` must be unset.
"allValues": "A String", # The policy all_values state.
"deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
# is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
#
# By default, a `ListPolicy` set at a resource supercedes any `Policy` set
# anywhere up the resource hierarchy. However, if `inherit_from_parent` is
# set to `true`, then the values from the effective `Policy` of the parent
# resource are inherited, meaning the values set in this `Policy` are
# added to the values inherited up the hierarchy.
#
# Setting `Policy` hierarchies that inherit both allowed values and denied
# values isn't recommended in most circumstances to keep the configuration
# simple and understandable. However, it is possible to set a `Policy` with
# `allowed_values` set that inherits a `Policy` with `denied_values` set.
# In this case, the values that are allowed must be in `allowed_values` and
# not present in `denied_values`.
#
# For example, suppose you have a `Constraint`
# `constraints/serviceuser.services`, which has a `constraint_type` of
# `list_constraint`, and with `constraint_default` set to `ALLOW`.
# Suppose that at the Organization level, a `Policy` is applied that
# restricts the allowed API activations to {`E1`, `E2`}. Then, if a
# `Policy` is applied to a project below the Organization that has
# `inherit_from_parent` set to `false` and field all_values set to DENY,
# then an attempt to activate any API will be denied.
#
# The following examples demonstrate different possible layerings for
# `projects/bar` parented by `organizations/foo`:
#
# Example 1 (no inherited values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has `inherit_from_parent` `false` and values:
# {allowed_values: "E3" allowed_values: "E4"}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are `E3`, and `E4`.
#
# Example 2 (inherited values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has a `Policy` with values:
# {value: "E3" value: "E4" inherit_from_parent: true}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
#
# Example 3 (inheriting both allowed and denied values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {denied_values: "E1"}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The value accepted at `projects/bar` is `E2`.
#
# Example 4 (RestoreDefault):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has a `Policy` with values:
# {RestoreDefault: {}}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are either all or none depending on
# the value of `constraint_default` (if `ALLOW`, all; if
# `DENY`, none).
#
# Example 5 (no policy inherits parent policy):
# `organizations/foo` has no `Policy` set.
# `projects/bar` has no `Policy` set.
# The accepted values at both levels are either all or none depending on
# the value of `constraint_default` (if `ALLOW`, all; if
# `DENY`, none).
#
# Example 6 (ListConstraint allowing all):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {all: ALLOW}
# The accepted values at `organizations/foo` are `E1`, E2`.
# Any value is accepted at `projects/bar`.
#
# Example 7 (ListConstraint allowing none):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {all: DENY}
# The accepted values at `organizations/foo` are `E1`, E2`.
# No value is accepted at `projects/bar`.
#
# Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
# Given the following resource hierarchy
# O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "under:organizations/O1"}
# `projects/bar` has a `Policy` with:
# {allowed_values: "under:projects/P3"}
# {denied_values: "under:folders/F2"}
# The accepted values at `organizations/foo` are `organizations/O1`,
# `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
# `projects/P3`.
# The accepted values at `projects/bar` are `organizations/O1`,
# `folders/F1`, `projects/P1`.
"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
# that matches the value specified in this `Policy`. If `suggested_value`
# is not set, it will inherit the value specified higher in the hierarchy,
# unless `inherit_from_parent` is `false`.
"allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
# is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
},
"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
# resource.
"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
# configuration is acceptable.
#
# Suppose you have a `Constraint`
# `constraints/compute.disableSerialPortAccess` with `constraint_default`
# set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
# behavior:
# - If the `Policy` at this resource has enforced set to `false`, serial
# port connection attempts will be allowed.
# - If the `Policy` at this resource has enforced set to `true`, serial
# port connection attempts will be refused.
# - If the `Policy` at this resource is `RestoreDefault`, serial port
# connection attempts will be allowed.
# - If no `Policy` is set at this resource or anywhere higher in the
# resource hierarchy, serial port connection attempts will be allowed.
# - If no `Policy` is set at this resource, but one exists higher in the
# resource hierarchy, the behavior is as if the`Policy` were set at
# this resource.
#
# The following examples demonstrate the different possible layerings:
#
# Example 1 (nearest `Constraint` wins):
# `organizations/foo` has a `Policy` with:
# {enforced: false}
# `projects/bar` has no `Policy` set.
# The constraint at `projects/bar` and `organizations/foo` will not be
# enforced.
#
# Example 2 (enforcement gets replaced):
# `organizations/foo` has a `Policy` with:
# {enforced: false}
# `projects/bar` has a `Policy` with:
# {enforced: true}
# The constraint at `organizations/foo` is not enforced.
# The constraint at `projects/bar` is enforced.
#
# Example 3 (RestoreDefault):
# `organizations/foo` has a `Policy` with:
# {enforced: true}
# `projects/bar` has a `Policy` with:
# {RestoreDefault: {}}
# The constraint at `organizations/foo` is enforced.
# The constraint at `projects/bar` is not enforced, because
# `constraint_default` for the `Constraint` is `ALLOW`.
},
"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
# concurrency control.
#
# When the `Policy` is returned from either a `GetPolicy` or a
# `ListOrgPolicy` request, this `etag` indicates the version of the current
# `Policy` to use when executing a read-modify-write loop.
#
# When the `Policy` is returned from a `GetEffectivePolicy` request, the
# `etag` will be unset.
#
# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
# that was returned from a `GetOrgPolicy` request as part of a
# read-modify-write loop for concurrency control. Not setting the `etag`in a
# `SetOrgPolicy` request will result in an unconditional write of the
# `Policy`.
}
getOrgPolicy(resource=*, body=None, x__xgafv=None)
Gets a `Policy` on a resource.
If no `Policy` is set on the resource, a `Policy` is returned with default
values including `POLICY_TYPE_NOT_SET` for the `policy_type oneof`. The
`etag` value can be used with `SetOrgPolicy()` to create or update a
`Policy` during read-modify-write.
Args:
resource: string, Name of the resource the `Policy` is set on. (required)
body: object, The request body.
The object takes the form of:
{ # The request sent to the GetOrgPolicy method.
"constraint": "A String", # Name of the `Constraint` to get the `Policy`.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
# for configurations of Cloud Platform resources.
"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
# server, not specified by the caller, and represents the last time a call to
# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
# be ignored.
"version": 42, # Version of the `Policy`. Default version is 0;
"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
# `constraints/serviceuser.services`.
#
# Immutable after creation.
"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
# `Constraint` type.
# `constraint_default` enforcement behavior of the specific `Constraint` at
# this resource.
#
# Suppose that `constraint_default` is set to `ALLOW` for the
# `Constraint` `constraints/serviceuser.services`. Suppose that organization
# foo.com sets a `Policy` at their Organization resource node that restricts
# the allowed service activations to deny all service activations. They
# could then set a `Policy` with the `policy_type` `restore_default` on
# several experimental projects, restoring the `constraint_default`
# enforcement of the `Constraint` for only those projects, allowing those
# projects to have all services activated.
},
"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
# resource.
#
# `ListPolicy` can define specific values and subtrees of Cloud Resource
# Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
# are allowed or denied by setting the `allowed_values` and `denied_values`
# fields. This is achieved by using the `under:` and optional `is:` prefixes.
# The `under:` prefix is used to denote resource subtree values.
# The `is:` prefix is used to denote specific values, and is required only
# if the value contains a ":". Values prefixed with "is:" are treated the
# same as values with no prefix.
# Ancestry subtrees must be in one of the following formats:
# - "projects/<project-id>", e.g. "projects/tokyo-rain-123"
# - "folders/<folder-id>", e.g. "folders/1234"
# - "organizations/<organization-id>", e.g. "organizations/1234"
# The `supports_under` field of the associated `Constraint` defines whether
# ancestry prefixes can be used. You can set `allowed_values` and
# `denied_values` in the same `Policy` if `all_values` is
# `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
# values. If `all_values` is set to either `ALLOW` or `DENY`,
# `allowed_values` and `denied_values` must be unset.
"allValues": "A String", # The policy all_values state.
"deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
# is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
#
# By default, a `ListPolicy` set at a resource supercedes any `Policy` set
# anywhere up the resource hierarchy. However, if `inherit_from_parent` is
# set to `true`, then the values from the effective `Policy` of the parent
# resource are inherited, meaning the values set in this `Policy` are
# added to the values inherited up the hierarchy.
#
# Setting `Policy` hierarchies that inherit both allowed values and denied
# values isn't recommended in most circumstances to keep the configuration
# simple and understandable. However, it is possible to set a `Policy` with
# `allowed_values` set that inherits a `Policy` with `denied_values` set.
# In this case, the values that are allowed must be in `allowed_values` and
# not present in `denied_values`.
#
# For example, suppose you have a `Constraint`
# `constraints/serviceuser.services`, which has a `constraint_type` of
# `list_constraint`, and with `constraint_default` set to `ALLOW`.
# Suppose that at the Organization level, a `Policy` is applied that
# restricts the allowed API activations to {`E1`, `E2`}. Then, if a
# `Policy` is applied to a project below the Organization that has
# `inherit_from_parent` set to `false` and field all_values set to DENY,
# then an attempt to activate any API will be denied.
#
# The following examples demonstrate different possible layerings for
# `projects/bar` parented by `organizations/foo`:
#
# Example 1 (no inherited values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has `inherit_from_parent` `false` and values:
# {allowed_values: "E3" allowed_values: "E4"}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are `E3`, and `E4`.
#
# Example 2 (inherited values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has a `Policy` with values:
# {value: "E3" value: "E4" inherit_from_parent: true}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
#
# Example 3 (inheriting both allowed and denied values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {denied_values: "E1"}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The value accepted at `projects/bar` is `E2`.
#
# Example 4 (RestoreDefault):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has a `Policy` with values:
# {RestoreDefault: {}}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are either all or none depending on
# the value of `constraint_default` (if `ALLOW`, all; if
# `DENY`, none).
#
# Example 5 (no policy inherits parent policy):
# `organizations/foo` has no `Policy` set.
# `projects/bar` has no `Policy` set.
# The accepted values at both levels are either all or none depending on
# the value of `constraint_default` (if `ALLOW`, all; if
# `DENY`, none).
#
# Example 6 (ListConstraint allowing all):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {all: ALLOW}
# The accepted values at `organizations/foo` are `E1`, E2`.
# Any value is accepted at `projects/bar`.
#
# Example 7 (ListConstraint allowing none):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {all: DENY}
# The accepted values at `organizations/foo` are `E1`, E2`.
# No value is accepted at `projects/bar`.
#
# Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
# Given the following resource hierarchy
# O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "under:organizations/O1"}
# `projects/bar` has a `Policy` with:
# {allowed_values: "under:projects/P3"}
# {denied_values: "under:folders/F2"}
# The accepted values at `organizations/foo` are `organizations/O1`,
# `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
# `projects/P3`.
# The accepted values at `projects/bar` are `organizations/O1`,
# `folders/F1`, `projects/P1`.
"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
# that matches the value specified in this `Policy`. If `suggested_value`
# is not set, it will inherit the value specified higher in the hierarchy,
# unless `inherit_from_parent` is `false`.
"allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
# is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
},
"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
# resource.
"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
# configuration is acceptable.
#
# Suppose you have a `Constraint`
# `constraints/compute.disableSerialPortAccess` with `constraint_default`
# set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
# behavior:
# - If the `Policy` at this resource has enforced set to `false`, serial
# port connection attempts will be allowed.
# - If the `Policy` at this resource has enforced set to `true`, serial
# port connection attempts will be refused.
# - If the `Policy` at this resource is `RestoreDefault`, serial port
# connection attempts will be allowed.
# - If no `Policy` is set at this resource or anywhere higher in the
# resource hierarchy, serial port connection attempts will be allowed.
# - If no `Policy` is set at this resource, but one exists higher in the
# resource hierarchy, the behavior is as if the`Policy` were set at
# this resource.
#
# The following examples demonstrate the different possible layerings:
#
# Example 1 (nearest `Constraint` wins):
# `organizations/foo` has a `Policy` with:
# {enforced: false}
# `projects/bar` has no `Policy` set.
# The constraint at `projects/bar` and `organizations/foo` will not be
# enforced.
#
# Example 2 (enforcement gets replaced):
# `organizations/foo` has a `Policy` with:
# {enforced: false}
# `projects/bar` has a `Policy` with:
# {enforced: true}
# The constraint at `organizations/foo` is not enforced.
# The constraint at `projects/bar` is enforced.
#
# Example 3 (RestoreDefault):
# `organizations/foo` has a `Policy` with:
# {enforced: true}
# `projects/bar` has a `Policy` with:
# {RestoreDefault: {}}
# The constraint at `organizations/foo` is enforced.
# The constraint at `projects/bar` is not enforced, because
# `constraint_default` for the `Constraint` is `ALLOW`.
},
"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
# concurrency control.
#
# When the `Policy` is returned from either a `GetPolicy` or a
# `ListOrgPolicy` request, this `etag` indicates the version of the current
# `Policy` to use when executing a read-modify-write loop.
#
# When the `Policy` is returned from a `GetEffectivePolicy` request, the
# `etag` will be unset.
#
# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
# that was returned from a `GetOrgPolicy` request as part of a
# read-modify-write loop for concurrency control. Not setting the `etag`in a
# `SetOrgPolicy` request will result in an unconditional write of the
# `Policy`.
}
listAvailableOrgPolicyConstraints(resource=*, body=None, x__xgafv=None)
Lists `Constraints` that could be applied on the specified resource.
Args:
resource: string, Name of the resource to list `Constraints` for. (required)
body: object, The request body.
The object takes the form of:
{ # The request sent to the [ListAvailableOrgPolicyConstraints]
# google.cloud.OrgPolicy.v1.ListAvailableOrgPolicyConstraints] method.
"pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported
# and will be ignored. The server may at any point start using this field.
"pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will
# be ignored. The server may at any point start using this field to limit
# page size.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # The response returned from the ListAvailableOrgPolicyConstraints method.
# Returns all `Constraints` that could be set at this level of the hierarchy
# (contrast with the response from `ListPolicies`, which returns all policies
# which are set).
"nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used.
"constraints": [ # The collection of constraints that are settable on the request resource.
{ # A `Constraint` describes a way in which a resource's configuration can be
# restricted. For example, it controls which cloud services can be activated
# across an organization, or whether a Compute Engine instance can have
# serial port connections established. `Constraints` can be configured by the
# organization's policy adminstrator to fit the needs of the organzation by
# setting Policies for `Constraints` at different locations in the
# organization's resource hierarchy. Policies are inherited down the resource
# hierarchy from higher levels, but can also be overridden. For details about
# the inheritance rules please read about
# Policies.
#
# `Constraints` have a default behavior determined by the `constraint_default`
# field, which is the enforcement behavior that is used in the absence of a
# `Policy` being defined or inherited for the resource in question.
"constraintDefault": "A String", # The evaluation behavior of this constraint in the absense of 'Policy'.
"displayName": "A String", # The human readable name.
#
# Mutable.
"description": "A String", # Detailed description of what this `Constraint` controls as well as how and
# where it is enforced.
#
# Mutable.
"booleanConstraint": { # A `Constraint` that is either enforced or not. # Defines this constraint as being a BooleanConstraint.
#
# For example a constraint `constraints/compute.disableSerialPortAccess`.
# If it is enforced on a VM instance, serial port connections will not be
# opened to that instance.
},
"version": 42, # Version of the `Constraint`. Default version is 0;
"listConstraint": { # A `Constraint` that allows or disallows a list of string values, which are # Defines this constraint as being a ListConstraint.
# configured by an Organization's policy administrator with a `Policy`.
"supportsUnder": True or False, # Indicates whether subtrees of Cloud Resource Manager resource hierarchy
# can be used in `Policy.allowed_values` and `Policy.denied_values`. For
# example, `"under:folders/123"` would match any resource under the
# 'folders/123' folder.
"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
# that matches the value specified in this `Constraint`.
},
"name": "A String", # Immutable value, required to globally be unique. For example,
# `constraints/serviceuser.services`
},
],
}
listAvailableOrgPolicyConstraints_next(previous_request=*, previous_response=*)
Retrieves the next page of results.
Args:
previous_request: The request for the previous page. (required)
previous_response: The response from the request for the previous page. (required)
Returns:
A request object that you can call 'execute()' on to request the next
page. Returns None if there are no more items in the collection.
listOrgPolicies(resource=*, body=None, x__xgafv=None)
Lists all the `Policies` set for a particular resource.
Args:
resource: string, Name of the resource to list Policies for. (required)
body: object, The request body.
The object takes the form of:
{ # The request sent to the ListOrgPolicies method.
"pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported
# and will be ignored. The server may at any point start using this field.
"pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will
# be ignored. The server may at any point start using this field to limit
# page size.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # The response returned from the ListOrgPolicies method. It will be empty
# if no `Policies` are set on the resource.
"nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used, but
# the server may at any point start supplying a valid token.
"policies": [ # The `Policies` that are set on the resource. It will be empty if no
# `Policies` are set.
{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
# for configurations of Cloud Platform resources.
"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
# server, not specified by the caller, and represents the last time a call to
# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
# be ignored.
"version": 42, # Version of the `Policy`. Default version is 0;
"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
# `constraints/serviceuser.services`.
#
# Immutable after creation.
"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
# `Constraint` type.
# `constraint_default` enforcement behavior of the specific `Constraint` at
# this resource.
#
# Suppose that `constraint_default` is set to `ALLOW` for the
# `Constraint` `constraints/serviceuser.services`. Suppose that organization
# foo.com sets a `Policy` at their Organization resource node that restricts
# the allowed service activations to deny all service activations. They
# could then set a `Policy` with the `policy_type` `restore_default` on
# several experimental projects, restoring the `constraint_default`
# enforcement of the `Constraint` for only those projects, allowing those
# projects to have all services activated.
},
"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
# resource.
#
# `ListPolicy` can define specific values and subtrees of Cloud Resource
# Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
# are allowed or denied by setting the `allowed_values` and `denied_values`
# fields. This is achieved by using the `under:` and optional `is:` prefixes.
# The `under:` prefix is used to denote resource subtree values.
# The `is:` prefix is used to denote specific values, and is required only
# if the value contains a ":". Values prefixed with "is:" are treated the
# same as values with no prefix.
# Ancestry subtrees must be in one of the following formats:
# - "projects/<project-id>", e.g. "projects/tokyo-rain-123"
# - "folders/<folder-id>", e.g. "folders/1234"
# - "organizations/<organization-id>", e.g. "organizations/1234"
# The `supports_under` field of the associated `Constraint` defines whether
# ancestry prefixes can be used. You can set `allowed_values` and
# `denied_values` in the same `Policy` if `all_values` is
# `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
# values. If `all_values` is set to either `ALLOW` or `DENY`,
# `allowed_values` and `denied_values` must be unset.
"allValues": "A String", # The policy all_values state.
"deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
# is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
#
# By default, a `ListPolicy` set at a resource supercedes any `Policy` set
# anywhere up the resource hierarchy. However, if `inherit_from_parent` is
# set to `true`, then the values from the effective `Policy` of the parent
# resource are inherited, meaning the values set in this `Policy` are
# added to the values inherited up the hierarchy.
#
# Setting `Policy` hierarchies that inherit both allowed values and denied
# values isn't recommended in most circumstances to keep the configuration
# simple and understandable. However, it is possible to set a `Policy` with
# `allowed_values` set that inherits a `Policy` with `denied_values` set.
# In this case, the values that are allowed must be in `allowed_values` and
# not present in `denied_values`.
#
# For example, suppose you have a `Constraint`
# `constraints/serviceuser.services`, which has a `constraint_type` of
# `list_constraint`, and with `constraint_default` set to `ALLOW`.
# Suppose that at the Organization level, a `Policy` is applied that
# restricts the allowed API activations to {`E1`, `E2`}. Then, if a
# `Policy` is applied to a project below the Organization that has
# `inherit_from_parent` set to `false` and field all_values set to DENY,
# then an attempt to activate any API will be denied.
#
# The following examples demonstrate different possible layerings for
# `projects/bar` parented by `organizations/foo`:
#
# Example 1 (no inherited values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has `inherit_from_parent` `false` and values:
# {allowed_values: "E3" allowed_values: "E4"}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are `E3`, and `E4`.
#
# Example 2 (inherited values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has a `Policy` with values:
# {value: "E3" value: "E4" inherit_from_parent: true}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
#
# Example 3 (inheriting both allowed and denied values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {denied_values: "E1"}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The value accepted at `projects/bar` is `E2`.
#
# Example 4 (RestoreDefault):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has a `Policy` with values:
# {RestoreDefault: {}}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are either all or none depending on
# the value of `constraint_default` (if `ALLOW`, all; if
# `DENY`, none).
#
# Example 5 (no policy inherits parent policy):
# `organizations/foo` has no `Policy` set.
# `projects/bar` has no `Policy` set.
# The accepted values at both levels are either all or none depending on
# the value of `constraint_default` (if `ALLOW`, all; if
# `DENY`, none).
#
# Example 6 (ListConstraint allowing all):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {all: ALLOW}
# The accepted values at `organizations/foo` are `E1`, E2`.
# Any value is accepted at `projects/bar`.
#
# Example 7 (ListConstraint allowing none):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {all: DENY}
# The accepted values at `organizations/foo` are `E1`, E2`.
# No value is accepted at `projects/bar`.
#
# Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
# Given the following resource hierarchy
# O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "under:organizations/O1"}
# `projects/bar` has a `Policy` with:
# {allowed_values: "under:projects/P3"}
# {denied_values: "under:folders/F2"}
# The accepted values at `organizations/foo` are `organizations/O1`,
# `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
# `projects/P3`.
# The accepted values at `projects/bar` are `organizations/O1`,
# `folders/F1`, `projects/P1`.
"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
# that matches the value specified in this `Policy`. If `suggested_value`
# is not set, it will inherit the value specified higher in the hierarchy,
# unless `inherit_from_parent` is `false`.
"allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
# is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
},
"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
# resource.
"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
# configuration is acceptable.
#
# Suppose you have a `Constraint`
# `constraints/compute.disableSerialPortAccess` with `constraint_default`
# set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
# behavior:
# - If the `Policy` at this resource has enforced set to `false`, serial
# port connection attempts will be allowed.
# - If the `Policy` at this resource has enforced set to `true`, serial
# port connection attempts will be refused.
# - If the `Policy` at this resource is `RestoreDefault`, serial port
# connection attempts will be allowed.
# - If no `Policy` is set at this resource or anywhere higher in the
# resource hierarchy, serial port connection attempts will be allowed.
# - If no `Policy` is set at this resource, but one exists higher in the
# resource hierarchy, the behavior is as if the`Policy` were set at
# this resource.
#
# The following examples demonstrate the different possible layerings:
#
# Example 1 (nearest `Constraint` wins):
# `organizations/foo` has a `Policy` with:
# {enforced: false}
# `projects/bar` has no `Policy` set.
# The constraint at `projects/bar` and `organizations/foo` will not be
# enforced.
#
# Example 2 (enforcement gets replaced):
# `organizations/foo` has a `Policy` with:
# {enforced: false}
# `projects/bar` has a `Policy` with:
# {enforced: true}
# The constraint at `organizations/foo` is not enforced.
# The constraint at `projects/bar` is enforced.
#
# Example 3 (RestoreDefault):
# `organizations/foo` has a `Policy` with:
# {enforced: true}
# `projects/bar` has a `Policy` with:
# {RestoreDefault: {}}
# The constraint at `organizations/foo` is enforced.
# The constraint at `projects/bar` is not enforced, because
# `constraint_default` for the `Constraint` is `ALLOW`.
},
"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
# concurrency control.
#
# When the `Policy` is returned from either a `GetPolicy` or a
# `ListOrgPolicy` request, this `etag` indicates the version of the current
# `Policy` to use when executing a read-modify-write loop.
#
# When the `Policy` is returned from a `GetEffectivePolicy` request, the
# `etag` will be unset.
#
# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
# that was returned from a `GetOrgPolicy` request as part of a
# read-modify-write loop for concurrency control. Not setting the `etag`in a
# `SetOrgPolicy` request will result in an unconditional write of the
# `Policy`.
},
],
}
listOrgPolicies_next(previous_request=*, previous_response=*)
Retrieves the next page of results.
Args:
previous_request: The request for the previous page. (required)
previous_response: The response from the request for the previous page. (required)
Returns:
A request object that you can call 'execute()' on to request the next
page. Returns None if there are no more items in the collection.
setOrgPolicy(resource=*, body=None, x__xgafv=None)
Updates the specified `Policy` on the resource. Creates a new `Policy` for
that `Constraint` on the resource if one does not exist.
Not supplying an `etag` on the request `Policy` results in an unconditional
write of the `Policy`.
Args:
resource: string, Resource name of the resource to attach the `Policy`. (required)
body: object, The request body.
The object takes the form of:
{ # The request sent to the SetOrgPolicyRequest method.
"policy": { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` # `Policy` to set on the resource.
# for configurations of Cloud Platform resources.
"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
# server, not specified by the caller, and represents the last time a call to
# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
# be ignored.
"version": 42, # Version of the `Policy`. Default version is 0;
"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
# `constraints/serviceuser.services`.
#
# Immutable after creation.
"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
# `Constraint` type.
# `constraint_default` enforcement behavior of the specific `Constraint` at
# this resource.
#
# Suppose that `constraint_default` is set to `ALLOW` for the
# `Constraint` `constraints/serviceuser.services`. Suppose that organization
# foo.com sets a `Policy` at their Organization resource node that restricts
# the allowed service activations to deny all service activations. They
# could then set a `Policy` with the `policy_type` `restore_default` on
# several experimental projects, restoring the `constraint_default`
# enforcement of the `Constraint` for only those projects, allowing those
# projects to have all services activated.
},
"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
# resource.
#
# `ListPolicy` can define specific values and subtrees of Cloud Resource
# Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
# are allowed or denied by setting the `allowed_values` and `denied_values`
# fields. This is achieved by using the `under:` and optional `is:` prefixes.
# The `under:` prefix is used to denote resource subtree values.
# The `is:` prefix is used to denote specific values, and is required only
# if the value contains a ":". Values prefixed with "is:" are treated the
# same as values with no prefix.
# Ancestry subtrees must be in one of the following formats:
# - "projects/<project-id>", e.g. "projects/tokyo-rain-123"
# - "folders/<folder-id>", e.g. "folders/1234"
# - "organizations/<organization-id>", e.g. "organizations/1234"
# The `supports_under` field of the associated `Constraint` defines whether
# ancestry prefixes can be used. You can set `allowed_values` and
# `denied_values` in the same `Policy` if `all_values` is
# `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
# values. If `all_values` is set to either `ALLOW` or `DENY`,
# `allowed_values` and `denied_values` must be unset.
"allValues": "A String", # The policy all_values state.
"deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
# is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
#
# By default, a `ListPolicy` set at a resource supercedes any `Policy` set
# anywhere up the resource hierarchy. However, if `inherit_from_parent` is
# set to `true`, then the values from the effective `Policy` of the parent
# resource are inherited, meaning the values set in this `Policy` are
# added to the values inherited up the hierarchy.
#
# Setting `Policy` hierarchies that inherit both allowed values and denied
# values isn't recommended in most circumstances to keep the configuration
# simple and understandable. However, it is possible to set a `Policy` with
# `allowed_values` set that inherits a `Policy` with `denied_values` set.
# In this case, the values that are allowed must be in `allowed_values` and
# not present in `denied_values`.
#
# For example, suppose you have a `Constraint`
# `constraints/serviceuser.services`, which has a `constraint_type` of
# `list_constraint`, and with `constraint_default` set to `ALLOW`.
# Suppose that at the Organization level, a `Policy` is applied that
# restricts the allowed API activations to {`E1`, `E2`}. Then, if a
# `Policy` is applied to a project below the Organization that has
# `inherit_from_parent` set to `false` and field all_values set to DENY,
# then an attempt to activate any API will be denied.
#
# The following examples demonstrate different possible layerings for
# `projects/bar` parented by `organizations/foo`:
#
# Example 1 (no inherited values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has `inherit_from_parent` `false` and values:
# {allowed_values: "E3" allowed_values: "E4"}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are `E3`, and `E4`.
#
# Example 2 (inherited values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has a `Policy` with values:
# {value: "E3" value: "E4" inherit_from_parent: true}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
#
# Example 3 (inheriting both allowed and denied values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {denied_values: "E1"}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The value accepted at `projects/bar` is `E2`.
#
# Example 4 (RestoreDefault):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has a `Policy` with values:
# {RestoreDefault: {}}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are either all or none depending on
# the value of `constraint_default` (if `ALLOW`, all; if
# `DENY`, none).
#
# Example 5 (no policy inherits parent policy):
# `organizations/foo` has no `Policy` set.
# `projects/bar` has no `Policy` set.
# The accepted values at both levels are either all or none depending on
# the value of `constraint_default` (if `ALLOW`, all; if
# `DENY`, none).
#
# Example 6 (ListConstraint allowing all):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {all: ALLOW}
# The accepted values at `organizations/foo` are `E1`, E2`.
# Any value is accepted at `projects/bar`.
#
# Example 7 (ListConstraint allowing none):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {all: DENY}
# The accepted values at `organizations/foo` are `E1`, E2`.
# No value is accepted at `projects/bar`.
#
# Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
# Given the following resource hierarchy
# O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "under:organizations/O1"}
# `projects/bar` has a `Policy` with:
# {allowed_values: "under:projects/P3"}
# {denied_values: "under:folders/F2"}
# The accepted values at `organizations/foo` are `organizations/O1`,
# `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
# `projects/P3`.
# The accepted values at `projects/bar` are `organizations/O1`,
# `folders/F1`, `projects/P1`.
"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
# that matches the value specified in this `Policy`. If `suggested_value`
# is not set, it will inherit the value specified higher in the hierarchy,
# unless `inherit_from_parent` is `false`.
"allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
# is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
},
"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
# resource.
"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
# configuration is acceptable.
#
# Suppose you have a `Constraint`
# `constraints/compute.disableSerialPortAccess` with `constraint_default`
# set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
# behavior:
# - If the `Policy` at this resource has enforced set to `false`, serial
# port connection attempts will be allowed.
# - If the `Policy` at this resource has enforced set to `true`, serial
# port connection attempts will be refused.
# - If the `Policy` at this resource is `RestoreDefault`, serial port
# connection attempts will be allowed.
# - If no `Policy` is set at this resource or anywhere higher in the
# resource hierarchy, serial port connection attempts will be allowed.
# - If no `Policy` is set at this resource, but one exists higher in the
# resource hierarchy, the behavior is as if the`Policy` were set at
# this resource.
#
# The following examples demonstrate the different possible layerings:
#
# Example 1 (nearest `Constraint` wins):
# `organizations/foo` has a `Policy` with:
# {enforced: false}
# `projects/bar` has no `Policy` set.
# The constraint at `projects/bar` and `organizations/foo` will not be
# enforced.
#
# Example 2 (enforcement gets replaced):
# `organizations/foo` has a `Policy` with:
# {enforced: false}
# `projects/bar` has a `Policy` with:
# {enforced: true}
# The constraint at `organizations/foo` is not enforced.
# The constraint at `projects/bar` is enforced.
#
# Example 3 (RestoreDefault):
# `organizations/foo` has a `Policy` with:
# {enforced: true}
# `projects/bar` has a `Policy` with:
# {RestoreDefault: {}}
# The constraint at `organizations/foo` is enforced.
# The constraint at `projects/bar` is not enforced, because
# `constraint_default` for the `Constraint` is `ALLOW`.
},
"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
# concurrency control.
#
# When the `Policy` is returned from either a `GetPolicy` or a
# `ListOrgPolicy` request, this `etag` indicates the version of the current
# `Policy` to use when executing a read-modify-write loop.
#
# When the `Policy` is returned from a `GetEffectivePolicy` request, the
# `etag` will be unset.
#
# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
# that was returned from a `GetOrgPolicy` request as part of a
# read-modify-write loop for concurrency control. Not setting the `etag`in a
# `SetOrgPolicy` request will result in an unconditional write of the
# `Policy`.
},
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
# for configurations of Cloud Platform resources.
"updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
# server, not specified by the caller, and represents the last time a call to
# `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
# be ignored.
"version": 42, # Version of the `Policy`. Default version is 0;
"constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
# `constraints/serviceuser.services`.
#
# Immutable after creation.
"restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
# `Constraint` type.
# `constraint_default` enforcement behavior of the specific `Constraint` at
# this resource.
#
# Suppose that `constraint_default` is set to `ALLOW` for the
# `Constraint` `constraints/serviceuser.services`. Suppose that organization
# foo.com sets a `Policy` at their Organization resource node that restricts
# the allowed service activations to deny all service activations. They
# could then set a `Policy` with the `policy_type` `restore_default` on
# several experimental projects, restoring the `constraint_default`
# enforcement of the `Constraint` for only those projects, allowing those
# projects to have all services activated.
},
"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
# resource.
#
# `ListPolicy` can define specific values and subtrees of Cloud Resource
# Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
# are allowed or denied by setting the `allowed_values` and `denied_values`
# fields. This is achieved by using the `under:` and optional `is:` prefixes.
# The `under:` prefix is used to denote resource subtree values.
# The `is:` prefix is used to denote specific values, and is required only
# if the value contains a ":". Values prefixed with "is:" are treated the
# same as values with no prefix.
# Ancestry subtrees must be in one of the following formats:
# - "projects/<project-id>", e.g. "projects/tokyo-rain-123"
# - "folders/<folder-id>", e.g. "folders/1234"
# - "organizations/<organization-id>", e.g. "organizations/1234"
# The `supports_under` field of the associated `Constraint` defines whether
# ancestry prefixes can be used. You can set `allowed_values` and
# `denied_values` in the same `Policy` if `all_values` is
# `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
# values. If `all_values` is set to either `ALLOW` or `DENY`,
# `allowed_values` and `denied_values` must be unset.
"allValues": "A String", # The policy all_values state.
"deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
# is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
#
# By default, a `ListPolicy` set at a resource supercedes any `Policy` set
# anywhere up the resource hierarchy. However, if `inherit_from_parent` is
# set to `true`, then the values from the effective `Policy` of the parent
# resource are inherited, meaning the values set in this `Policy` are
# added to the values inherited up the hierarchy.
#
# Setting `Policy` hierarchies that inherit both allowed values and denied
# values isn't recommended in most circumstances to keep the configuration
# simple and understandable. However, it is possible to set a `Policy` with
# `allowed_values` set that inherits a `Policy` with `denied_values` set.
# In this case, the values that are allowed must be in `allowed_values` and
# not present in `denied_values`.
#
# For example, suppose you have a `Constraint`
# `constraints/serviceuser.services`, which has a `constraint_type` of
# `list_constraint`, and with `constraint_default` set to `ALLOW`.
# Suppose that at the Organization level, a `Policy` is applied that
# restricts the allowed API activations to {`E1`, `E2`}. Then, if a
# `Policy` is applied to a project below the Organization that has
# `inherit_from_parent` set to `false` and field all_values set to DENY,
# then an attempt to activate any API will be denied.
#
# The following examples demonstrate different possible layerings for
# `projects/bar` parented by `organizations/foo`:
#
# Example 1 (no inherited values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has `inherit_from_parent` `false` and values:
# {allowed_values: "E3" allowed_values: "E4"}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are `E3`, and `E4`.
#
# Example 2 (inherited values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has a `Policy` with values:
# {value: "E3" value: "E4" inherit_from_parent: true}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
#
# Example 3 (inheriting both allowed and denied values):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {denied_values: "E1"}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The value accepted at `projects/bar` is `E2`.
#
# Example 4 (RestoreDefault):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values:"E2"}
# `projects/bar` has a `Policy` with values:
# {RestoreDefault: {}}
# The accepted values at `organizations/foo` are `E1`, `E2`.
# The accepted values at `projects/bar` are either all or none depending on
# the value of `constraint_default` (if `ALLOW`, all; if
# `DENY`, none).
#
# Example 5 (no policy inherits parent policy):
# `organizations/foo` has no `Policy` set.
# `projects/bar` has no `Policy` set.
# The accepted values at both levels are either all or none depending on
# the value of `constraint_default` (if `ALLOW`, all; if
# `DENY`, none).
#
# Example 6 (ListConstraint allowing all):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {all: ALLOW}
# The accepted values at `organizations/foo` are `E1`, E2`.
# Any value is accepted at `projects/bar`.
#
# Example 7 (ListConstraint allowing none):
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "E1" allowed_values: "E2"}
# `projects/bar` has a `Policy` with:
# {all: DENY}
# The accepted values at `organizations/foo` are `E1`, E2`.
# No value is accepted at `projects/bar`.
#
# Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
# Given the following resource hierarchy
# O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
# `organizations/foo` has a `Policy` with values:
# {allowed_values: "under:organizations/O1"}
# `projects/bar` has a `Policy` with:
# {allowed_values: "under:projects/P3"}
# {denied_values: "under:folders/F2"}
# The accepted values at `organizations/foo` are `organizations/O1`,
# `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
# `projects/P3`.
# The accepted values at `projects/bar` are `organizations/O1`,
# `folders/F1`, `projects/P1`.
"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
# that matches the value specified in this `Policy`. If `suggested_value`
# is not set, it will inherit the value specified higher in the hierarchy,
# unless `inherit_from_parent` is `false`.
"allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
# is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
},
"booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
# resource.
"enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
# configuration is acceptable.
#
# Suppose you have a `Constraint`
# `constraints/compute.disableSerialPortAccess` with `constraint_default`
# set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
# behavior:
# - If the `Policy` at this resource has enforced set to `false`, serial
# port connection attempts will be allowed.
# - If the `Policy` at this resource has enforced set to `true`, serial
# port connection attempts will be refused.
# - If the `Policy` at this resource is `RestoreDefault`, serial port
# connection attempts will be allowed.
# - If no `Policy` is set at this resource or anywhere higher in the
# resource hierarchy, serial port connection attempts will be allowed.
# - If no `Policy` is set at this resource, but one exists higher in the
# resource hierarchy, the behavior is as if the`Policy` were set at
# this resource.
#
# The following examples demonstrate the different possible layerings:
#
# Example 1 (nearest `Constraint` wins):
# `organizations/foo` has a `Policy` with:
# {enforced: false}
# `projects/bar` has no `Policy` set.
# The constraint at `projects/bar` and `organizations/foo` will not be
# enforced.
#
# Example 2 (enforcement gets replaced):
# `organizations/foo` has a `Policy` with:
# {enforced: false}
# `projects/bar` has a `Policy` with:
# {enforced: true}
# The constraint at `organizations/foo` is not enforced.
# The constraint at `projects/bar` is enforced.
#
# Example 3 (RestoreDefault):
# `organizations/foo` has a `Policy` with:
# {enforced: true}
# `projects/bar` has a `Policy` with:
# {RestoreDefault: {}}
# The constraint at `organizations/foo` is enforced.
# The constraint at `projects/bar` is not enforced, because
# `constraint_default` for the `Constraint` is `ALLOW`.
},
"etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
# concurrency control.
#
# When the `Policy` is returned from either a `GetPolicy` or a
# `ListOrgPolicy` request, this `etag` indicates the version of the current
# `Policy` to use when executing a read-modify-write loop.
#
# When the `Policy` is returned from a `GetEffectivePolicy` request, the
# `etag` will be unset.
#
# When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
# that was returned from a `GetOrgPolicy` request as part of a
# read-modify-write loop for concurrency control. Not setting the `etag`in a
# `SetOrgPolicy` request will result in an unconditional write of the
# `Policy`.
}